Firewalls and Virtual Private Networks - wiley.com · PDF fileFirewalls and Virtual Private Networks 187 Types of Firewalls Firewalls can be classified into three basic categories:

185

C H A P T E R

9

Firewalls and VirtualPrivate Networks

Introduction

In Chapter 8, we discussed the issue of security in remote access networks.In this chapter we will consider how security is applied in remote accessnetworks. In particular, we will discuss how

firewalls

are used to protectcorporate resources from outside intruders and how

virtual private

networks

enable branch offices and remote users to access the corporatenetwork in a secure manner via non-secure public networks.

Firewall Protection

As stated in Chapter 8, remote access networking is a necessity in mostcorporations. For most of these corporations, the Internet is the virtualbackbone of their enterprise network, interconnecting an organization’scorporate network and those of its business partners and customers. TheInternet also provides an inexpensive way to link branch offices, tele-commuters, and mobile workers to the corporate network. Unfortunately,linking a corporate network to the Internet exposes it to the outside world.While the security mechanisms discussed in Chapter 8 can deter unauthorizedaccess to the corporate network via the Internet, they are not foolproof. Extra

ch09 Page 185 Thursday, March 11, 1999 3:14 PM

186

Chapter 9

steps are usually taken, in conjunction with those discussed in Chapter 8, toprotect the confidential information located in the corporate network fromexternal unauthorized users.

This protection is provided by implementing appropriate network accesscontrol policies and using firewalls to enforce them. A firewall is a securitysystem that controls access to a protected network, such as a privatecorporate network. The network is being protected from an untrustedpublic network, such as the Internet. As a result, a firewall is located sothat every access request from a public network to the protected networkmust pass through the firewall, eliminating the need for individualprotection of every server and host in the protected network.

A firewall is typically located the point the network connects to theInternet. This location permits the firewall to provide authentication andother security services to remote users in order to prevent unauthorized usersfrom logging in to the network. Figure 9.1 illustrates a firewall-controlledaccess to the corporate network from the Internet.

For a firewall to be effective, companies first need to define theirnetwork security policy. A network security policy identifies the resourcesthat need protection and the threats against them. It then defines how theycan be used and who can use them, and stipulates the actions to be takenwhen the policies are violated. A policy is a set of rules against whicharriving packets are tested. Examples of such rules include what IP trafficthe organization wants to allow into its network, what source addressesshould be excluded from the network, and what destination addresseswithin the network can be accessed from outside the network. Specificactions to be taken include

accept packet

and

reject packet

. The firewall isresponsible for filtering traffic according to the security policy.

Figure 9.1

Firewall-controlled access from the Internet.

Corporate

Network

Firewall

Corporate Premises

Internet


Firewalls and Virtual Private Networks

187

Types of Firewalls

Firewalls can be classified into three basic categories:

packet filters

,

proxy

servers

(which include

application gateways

and

circuit-level gateways

), and

stateful packet filters

. There is a fourth category that is essentially a hybrid ofthe three main categories. For example, a firewall may be a combination of theapplication gateway and packet filter, or a proxy server and a stateful packetfilter. Figure 9.2 illustrates the different types of firewalls.

Packet Filters

A packet filter is a firewall that inspects each packet for user-definedfiltering rules to determine whether to pass or block it. For example, thefiltering rule might require all Telnet requests to be dropped. Using thisinformation, the firewall will block all packets that have a port number 23(the default port number for Telnet) in their header. Filtering rules can bebased on source IP address, destination IP address, Layer 4 (that is, TCP/UDP) source port, and Layer 4 destination port. Thus, a packet filter makesdecisions based on the network layer and the transport layer.

Packet filters are fast and can be easily implemented in existing routers.Unfortunately, they are the least secure of all firewalls. One disadvantage ofpacket filters is that they have no logging facility that can be used to detectwhen a break-in has occurred. Also, a packet filtering firewall grants or deniesaccess to the network according to the source and destination addresses andthe source and destination ports. Unfortunately, these ports can be spoofed. Asa result, anyone can access network resources once access has been granted toan authorized user.

Figure 9.2

Firewall classification.

Firewalls

Proxy ServersPacket Filters Stateful PacketFilters

ApplicationGateways

Circuit-LevelGateways


188

Chapter 9

Proxy Servers

A proxy service is an application that redirects users’ requests to the actualservices based on an organization’s security policy. All communicationbetween a user and the actual server occurs through the proxy server. Thus, aproxy server acts as a communications broker between clients and the actualapplication servers. Because it acts as a checkpoint where requests arevalidated against specific applications, a proxy server is usually processingintensive and can become a bottleneck under heavy traffic conditions.

Proxy servers can operate at either the application layer or the transportlayer. Thus, there are two classes of proxy servers: application gateways,which operate at the application layer; and circuit-level gateways, whichoperate at the transport layer.

Application Gateways

An application gateway is a proxy server that provides access control atthe application layer. It acts as an application-layer gateway between theprotected network and the untrusted network. Because it operates at theapplication layer, it is able to examine traffic in detail and, therefore, isconsidered the most secure type of firewall. It can prevent certainapplications, such as FTP, from entering the protected network. It can alsolog all network activities according to applications for both accounting andsecurity audit purposes.

Application gateways can also hide information. Since all requests forservices in the protected network pass through the application gateway, itcan provide network address translation (or IP address hiding) functionalityand conceal IP addresses in the protected network from the Internet byreplacing the IP address of every outbound packet (that is, packets goingfrom the protected network to the Internet) with its own IP address.Network address translation also permits unregistered IP addresses to befreely used in the protected network because the gateway will map them toits own IP address when the users attempt to communicate with theoutside world.

Circuit-Level Gateways

A circuit-level gateway is a proxy server that validates TCP and UDP sessionsbefore allowing a connection or circuit through the firewall. It is activelyinvolved in the connection establishment and does not allow packets to beforwarded until the necessary access control rules have been satisfied.



189

A circuit-level gateway is not as secure as an application gatewaybecause it validates TCP and UDP sessions without full knowledge of theapplications that use these transport services. Moreover, once a sessionhas been established, any application can run across that connection. Thisbehavior exposes the protected network to attacks from intruders. Unlikea circuit-level gateway, an application gateway can differentiate theapplications that need to be blocked from those that can be allowed to passthrough the gateway.

Stateful Packet Filters

Although the application gateway provides the best security among thepreceding firewalls, its intensive processing requirement slows downnetwork performance. A stateful packet filtering gateway attempts to providetight security without compromising performance. Unlike the applicationgateway, it checks the data that passes through at the network layer but doesnot process it. The firewall maintains state information for each session,where session states include a combination of communication phase and theendpoint application state. When a stateful packet filtering gateway receivesa data packet, it checks the packet against the known state of the session. Ifthe packet deviates from the expected session state, the gateway blocks therest of the session.

Firewall Architectures

Firewall architecture refers to the manner in which firewall componentsare arranged to provide effective protection against unauthorized users. Itis usually defined after the network security policy has been definedbecause it is supposed to be a model that enforces the security policy.

The network security policy is enforced at defensible boundaries withinthe network called

perimeter networks

. A corporate network usuallycontains multiple perimeter networks that can be classified into threegroups: the

outermost

perimeter

network, one or more

internal

perimeter

networks, and the

innermost perimeter

network. The outermost perimeternetwork provides a boundary between corporate resources (that need tobe protected) and external resources (resources the corporation cannotcontrol). Internal perimeter networks represent boundaries within thecorporate network that need additional security. Figure 9.3 shows therelationships among the three types of perimeter networks.


190

Chapter 9

Figure 9.3 provides only one potential firewall configuration; not all networkshave three levels of perimeter networks. Organizations need to configure theirfirewalls to meet their network security policy. The following section discussesthe three most commonly used firewall architectures.

Dual-Homed Host Firewall

A dual-homed host firewall is a type of the multi-homed host firewall. In thedual-homed host firewall, the host (which provides the firewallfunctionality) has two interfaces: One interface is connected to the privatenetwork and the other interface is connected to the Internet (or some otheruntrusted network). Thus, all IP traffic from the Internet must pass throughthe firewall before arriving at a host in the private network. Similarly, aninternal host can communicate with external hosts (that is, hosts in theInternet) via the dual-homed host.

Direct communication that bypasses the dual-homed host is blocked.This means that the IP forwarding capability of the dual-homed host isdisabled to ensure that IP packets from one network are not be directlyrouted to the other network. The dual-homed host cannot operate as arouter. However, disabling IP packet forwarding ensures that the Internetand the private network are logically disconnected so that even whensystem problems occur the firewall cannot

fail open

. Data can only pass

Figure 9.3

Perimeter networks.

Internet Corporate Network

Innermost Perimeter

Outermost Perimeter

Internal Perimeter

Internal Perimeter



191

through the firewall via its application proxies, not through the operatingsystem layer. Figure 9.4 illustrates a dual-homed host firewall.

The dual-homed host can be used to completely block access to theprivate network when it provides proxy services (such as Telnet, FTP andHTTP), as shown in Figure 9.4, the server providing the particular service islocated between a packet filtering router, which may be present, and thedual-homed host. This arrangement prevents intruders from accessingsystems protected by the dual-homed host.

Screened Host Firewall

Unlike the dual-homed host firewall architecture, which allows the hostfirewall to be connected to two networks, the screened host firewallarchitecture allows the host providing the firewall (called a

bastion

host)to connect only to the private network. A separate screening router isplaced between the host and the Internet. Thus, the screened host firewallis a combination of a packet filtering router and an application gateway.

The screening router performs a packet filtering function and isconfigured so that the bastion host is the only host in the private networkthat can be accessed from the Internet. Extra security can be provided inthe screening router by configuring it to block traffic to specific ports onthe bastion host. Figure 9.5 illustrates the screened host firewall.

The screening router may be configured to permit or block connectionsbetween internal hosts and the Internet. Its basic function is to filter traffic

Figure 9.4

Dual-homed host firewall architecture.


Dual-HomedHost

Other Hosts on

Information Server

Proxy traffic (Telnet, FTP, HTTP)

Other traffic


192

Chapter 9

classes that have been defined as security risks in the security policy beforethey arrive at the bastion and other internal hosts. Since the bastion host isthe most exposed host in the private network, it is usually the mostprotected host. Generally, there are two or more bastion hosts in a network.

One of the advantages of this architecture is that a public informationserver providing FTP, Telnet, and HTTP services can be placed on thenetwork segment between the screening router and the bastion host. Ifstronger security is desired, the bastion host can be configured to runproxy services that require both internal and external users to access theinformation server through the bastion host. In fact, one of the mainfunctions of the bastion host is to act as a proxy server for various servicesincluding FTP, HTTP, Telnet, DNS, and SMTP.

One of the problems with the screened host firewall architecture is thatonce an attacker breaks through the bastion host, all the hosts in the privatenetwork are exposed to the attacker. In a dual-homed host firewall, however, itis impossible to pass through the dual-homed host without a correspondingproxy server. Unlike the dual-homed host firewall, the screened host firewallrequires the screening router and the bastion host to be configured

Screened Subnet Firewall

The screened subnet firewall can be considered an extension of thescreened host firewall. Like the screened host firewall, it uses a screening

Figure 9.5

Screened host firewall.


ScreeningRouter

HostBastion

Other Hosts on

Information Server

Proxy/application traffic

Other traffic



193

router (called the outer or external router) and a bastion host. However,this firewall, which is also called the

Demilitarized Zone

(DMZ), createsan extra layer of security by adding a perimeter network that furtherisolates the private network from the Internet. The firewall defines a DMZdemarcated by the outer router and an internal router, where the latter isplaced closer to the private network than the outer router. The DMZ is aninner screened subnet bounded by the internal router and the outer router.The bastion host and information server are then located within the DMZ,as shown in Figure 9.6.

The DMZ can be considered an isolated network between the privatenetwork and the Internet. The outer router protects the network fromexternal attacks by restricting access to systems in the DMZ. It also blockstraffic to the Internet from unauthorized sources in the private network.The internal router manages DMZ access to the private network by passingonly traffic from the bastion host to the hosts in the private network thatare not in the DMZ, and vice versa.

For an attack to reach any internal host located outside the DMZ, it mustbreak through both routers. In addition, the architecture reveals only theDMZ network to the outside world and keeps the private network hidden.However, there is a drawback to this architecture: two routers and thebastion host need to be properly configured.

Figure 9.6

Screened subnet firewall.


OuterRouter

HostBastion

InternalRouter

DMZ

Other Hosts on

Information Server

Other traffic

Proxy/application traffic


194

Chapter 9

Virtual Private Networks

A virtual private network (VPN) provides a secure connection between asender and a receiver over a public non-secure network such as the Internet. Asecure connection is generally associated with private networks. (A privatenetwork is a network that is owned, or at least controlled via leased lines, byan organization.) Using the techniques discussed later in this chapter, a VPNcan transform the characteristics of a public non-secure network into those ofa private secure network. VPNs reduce remote access costs by using publicnetwork resources. Compared to other solutions, including private networks,a VPN is inexpensive.

VPNs are not new. In fact, they have been used in telephone networks foryears and have become more prevalent since the development of theintelligent network. Frame relay networks, which have been around forsome time, are VPNs. Virtual private networks are only new to IP networkssuch as the Internet. Therefore, some authors use the terms

Internet

VPN

and

virtual private data network

to distinguish the VPN described in thischapter from other VPNs. In this book, the term VPN refers to Internet VPN.

The goal of a VPN is to provide a secure passage for users’ data over thenon-secure Internet. It enables companies to use the Internet as the virtualbackbone for their corporate networks by allowing them to create secure

virtual

links between their corporate office and branch or remote officesvia the Internet. The cost benefits of VPN service have promptedcorporations to move more of their data from private WANs to Internet-based VPNs.

A VPN uses data encryption and other security mechanisms to preventunauthorized users from accessing data, and to ensure that data cannot bemodified without detection as it flows through the Internet. It then uses the

tunneling

process to transport the encrypted data across the Internet.Tunneling is a mechanism for encapsulating one protocol in anotherprotocol. In the context of the Internet, tunneling allows such protocols asIPX, AppleTalk, and IP to be encrypted and then encapsulated in IP.Similarly, in the context of VPNs, tunneling disguises the original networklayer protocol by encrypting the packet and enclosing the encryptedpacket in an IP

envelope

. This IP envelope, which is an IP packet, can thenbe transported securely across the Internet. At the receiving side, theenvelope is removed and the data it contains is decrypted and delivered tothe appropriate access device, such as a router.

Simply put, a corporation is creating a private

tunnel

through theInternet for the secure delivery of its data. The tunnel enables the



195

corporation to create a virtual WAN, within the Internet, that is cheaperthan private WANs and safe from intruders.

VPNs also provide quality of service (QoS) guarantees, which usuallyspecify an upper bound on the average packet delay in the network. Theguarantees may also include specification of a lower bound on thebandwidth available to the user. These guarantees are developed throughservice level agreements (SLAs) with the service provider. Most serviceproviders have their own private backbone IP networks. Therefore, they arein a better position to meet QoS guarantees. However, such networks do notprovide the global coverage as the Internet. Sometimes a service providermakes private peering arrangements with other service providers, whoseprivate IP networks cover more area. This arrangement allows the serviceprovider to hand off its high-priority traffic (that is, traffic with stringent QoSrequirements) to networks with a guaranteed QoS instead of putting suchhigh-priority traffic on the Internet where delay is unpredictable.

From the preceding discussion, we can define a VPN by the followingrelationship:

VPN = Tunneling + Security + QoS Guarantees

The remainder of the chapter deals with different tunneling techniquesused to create VPNs.

Advantages of VPNs

As stated earlier, VPNs are inexpensive; they provide remote and mobileuser with access to the corporate network at the price of a local call.

VPNs also provide the framework for corporate

intranets

and

extranets

.Corporations can exploit the global nature of the Internet and use VPNs tolink all branch offices into private networks called intranets. A corporationcan make certain sections of its intranet accessible to its vendors andstrategic partners by means of the extranet. Both intranets and extranetsare discussed in greater detail in Chapter 10.

VPN tunnels permit non-routable protocols to be delivered to specificLAN segments in the corporate intranet. In this way, VPNs enable legacyapplications to use the intranet.

VPNs have also contributed significantly to the increased use of private IPaddresses. Since applications are tunneled rather than routed across the WAN,companies can assign their own addresses, as long as these addresses are notadvertised to the outside world, as discussed in Chapter 5.


196

Chapter 9

Types of VPNs

Currently there are three types of VPNs. While their goal is to leveragethe Internet as a private enterprise backbone network, each of themaddresses the needs of a different interest group in the enterprise. Thethree types of VPNs are as follows:

1.

Access VPNs

provide remote users such as road warriors (or mobileusers), telecommuters, and branch offices with reliable access tocorporate networks.

2.

Intranet VPNs

allow branch offices to be linked to corporate head-quarters in a secure manner.

3.

Extranet VPNs

allow customers, suppliers, and partners to accesscorporate intranet in a secure manner.

Because of their growing importance in corporate networking, bothintranet VPNs and extranet VPNs are discussed in greater detail in Chapter10. Most of the discussion in this chapter deals with access VPNs, whichare the building blocks for intranet VPNs and extranet VPNs.

VPN Architectures

A VPN consists of our components: a VPN client, a network access server(NAS), a tunnel terminating device (or

VPN server

), and a VPN protocol. In atypical access VPN connection, a remote user (or VPN client) initiates a PPPconnection with the ISP’s NAS via the public switched telephone network(PSTN). An NAS is a device that terminates dial-up calls over analog (basictelephone service) or digital (ISDN) circuits. The NAS is owned by the ISP, andis usually implemented in the ISP’s POP. After the user has been authenticatedby the appropriate authentication method, the NAS directs the packet to thetunnel that connects both the NAS and the VPN server. The VPN server mayreside in the ISP’s POP or at the corporate site, depending on the VPN modelthat is implemented. (VPN models are discussed later in this chapter.) TheVPN server recovers the packet from the tunnel, unwraps it, and delivers it tothe corporate network. Figure 9.7 illustrates VPN architecture.

There are four tunneling protocols used to establish VPNs, and three areextensions of the Point-to-Point Protocol (PPP):

■■

Point-to-Point Tunneling Protocol (PPTP)

■■

Layer 2 Forwarding (L2F)



197

■■

Layer 2 Tunneling Protocol (L2TP)

■■

IP Security (IPSec) Protocol Suite

When both PPTP and L2F were submitted to the IETF, the organizationdecided to combine the features of both protocols into a commontunneling protocol, which is now L2TP. The Layer 2 Tunneling Protocolwas in the draft stage at the time of writing.

The four protocols can be classified broadly into two groups: Layer 2tunneling protocols and Layer 3 tunneling protocols. PPTP, L2F, and L2TP areLayer 2 tunneling protocols, while IPSec is a Layer 3 tunneling protocol.

Layer 2 Tunneling Protocols

Layer 2 tunneling protocols operate at the data link layer (or Layer 2). Theyencapsulate Layer 3 packets in Layer 2 PPP before encapsulating them in IP.They use the security provided by PPP. Thus, they perform user authenticationusing existing PPP authentication protocols, namely PAP and CHAP. Nospecific provision is made for data encryption, which may be performed by theuser prior to requesting VPN service.

The general structure of the tunnel creation process for Layer 2tunneling protocols is shown in Figure 9.8. A client initiates a PPPconnection by dialing up the NAS, which is typically implemented in theISP’s POP. The client then uses the logical control protocol (LCP)negotiation to establish the PPP connection. Once the PPP connection is

Figure 9.7

Virtual private network architecture.

Internet Corporate NetworkVPN

PSTN NAS

Layer 3 Protocol

IP IP

Layer 3 Protocol

Server

Remote

VPN Client

ISPISP

Network

VPN Client


198

Chapter 9

established, the NAS uses either PAP or CHAP to authenticate the client. Ifthe authentication is successful, the NAS attempts to open a PPPconnection to the VPN server using LCP negotiation. The VPN server willauthenticate the NAS using PAP or CHAP. The client and the VPN serverwill then use the network control protocol (NCP) to negotiate the networklayer protocol. This completes the tunneling process.

Note that different tunneling protocols handle this process in different ways.However, in principle, they are closely related to the preceding process.

PPTP

PPTP is a protocol developed by Microsoft and a group of network equipmentvendors including Ascend Communications and 3Com. It permits IPX,

Figure 9.8

Tunnel creation process for Layer 2 VPNs.

Client NAS VPN Server Corporate Server

Call

Answer

LCP Negotiation

PPP Authentication

PPP Authentication

Open VPN Request

Open VPN Reply

NCP Negotiation

VPN Established

PPP Authentication Successful

Request

Reply



199

NetBEUI, and IP packets to be encapsulated inside IP packets, enabling non-IPapplications to run over the Internet. As an extension of PPP, it handles onlypoint-to-point connections; it does not support point-to-multipoint connections.More importantly, PPTP is an IP-centric protocol that is designed only for IPnetworks.

In PPTP, the NAS that allows the remote user to initiate a VPN call iscalled the

PPTP

access concentrator

(PAC), and the VPN server is calledthe

PPTP network server

(PNS). Figure 9.9 illustrates the components of aPPTP-based VPN.

PPTP does not provide packet-by-packet encryption. Instead, it relies onPPP’s native encryption capability in PAP and CHAP. A PPTP packet isencapsulated in Generic Routing Encapsulation (GRE), which is thencarried over IP. PPTP separates the control and data channels into acontrol stream that runs over TCP and a data stream that runs over GRE.Figure 9.10 illustrates the PPTP packet format. The PPP payload consistsof the data and its TCP and IP headers.

PPTP is a proprietary protocol, but most VPNs to date are based on thisprotocol. PPTP uses TCP, which allows it to support flow control. It alsosupports a rate control mechanism that limits the amount of data in transit,minimizing the need for retransmission due to dropped packets. Thisresults in better use of the bandwidth.

L2F

L2F is a proprietary protocol that was developed by Cisco Systems. It isprotocol-independent and can run over X.25, frame relay, and ATM networks.

Figure 9.9

PPTP VPN components.

InternetCorporate

PNSPSTN PAC

Layer 3 Protocol

IP IP

Layer 3 Protocol

Remote Network

VPN Client

ISP ISP

Network


200 Chapter 9

It supports private IP, IPX, and AppleTalk, and uses UDP for Internet tunnel-ing. L2F defines many connections within a tunnel, allowing a tunnel to supportmany connections.

In L2F, the VPN server is called the Home Gateway. L2F uses PPP fordial-up user authentication. However, it also supports other authenticationschemes including RADIUS and TACACS+. Figure 9.11 illustrates thecomponents of an L2F-based VPN.

Unlike PPTP, L2F defines its own encapsulation header, which is notdependent on IP and GRE. This capability permits L2F to work in differenttypes of networks. Figure 9.12 illustrates the format of an L2F packet. TheSLIP/PPP payload is encapsulated in an L2F packet with an L2F header andan optional L2F checksum as the trailer.

L2TP

As stated earlier, L2TP combines the features of PPTP and L2F. Unlike PPTP,which runs over TCP, L2TP runs over UDP and does not use GRE. Because

Figure 9.10 PPTP packet format.

Figure 9.11 L2F VPN components.

DataIP Header GRE Header

PPP Payload

TCPOriginal

PPP HeaderIP Header

Internet Corporate Home

Remote Network

NAS

Layer 3 Protocol

IP IP

Layer 3 Protocol

GatewayPSTN

VPN Client

ISP ISP

Network


Firewalls and Virtual Private Networks 201

many firewalls do not support GRE, L2TP is more firewall-friendly than PPTP.In L2TP, the NAS is called the L2TP access concentrator (LAC) and the VPNserver is called the L2TP network server (LNS). Figure 9.13 illustrates thecomponents of an L2TP-based VPN.

L2TP uses PPP dial-up links and, as a result, also uses PAP and CHAP forauthentication. However, it allows the use of RADIUS for userauthentication. L2TP permits multiple tunnels to be created between thesame pair of end-points, allowing the user to create different tunnels withdifferent qualities of service between the same end-points. Figure 9.14illustrates the format of an L2TP packet.

L2TP is supported by many vendors, and is expected to be thepredominant protocol once it becomes a standard. L2TP relies on IPSec toperform data encryption. If L2TP discovers that IPSec is not supported atthe remote end, it uses the less secure PPP encryption. The encryption maybe performed by the user’s workstation or by the LAC, depending on theVPN model that is used. (VPN models are discussed later in this chapter.)

Figure 9.12 L2F packet format.

Figure 9.13 L2TP VPN components.

L2F Header SLIP/PPP PayloadL2F Checksum

(Optional)

Internet Corporate LNS

Remote Network

LAC

Layer 3 Protocol

IP IP

Layer 3 Protocol

PSTN

VPN Client

ISP ISP

Network


202 Chapter 9

Layer 3 Tunneling ProtocolsAs discussed in Chapter 8, IPSec was originally designed to add security to theTCP/IP. IPSec provides packet-level authentication, integrity, and con-fidentiality by adding two security headers: the Authentication Header (AH),which provides header integrity and authentication without confidentiality; andthe Encapsulating Security Payload (ESP) which provides integrity, authentica-tion, and confidentiality to payload (or IP datagrams). ESP permits packet-by-packet encryption and uses a standards-based encryption key managementprotocol. Thus, IPSec VPN can be created with either AH or ESP or both. AHdoes not provide data encryption and is useful in those environments whereonly authentication is required. More importantly, since authentication is notregulated, AH is the preferred method for VPNs that cross U.S. borders. AH alsohas a lower processing overhead than ESP. However, when data encryption isdesired, ESP is used.

One drawback to using IPSec is that it supports only IP. However, PPTP,L2F, and L2TP can support non-IP traffic, such as IPX and AppleTalk,because they are Layer 2 protocols. Unlike IPSec, Layer 2 tunnelingprotocols support individual dial-up access because they use PPP userauthentication, which permits seamless dial-up connections through ISPs.IPSec is designed for security protection between routers and firewalls; itdoes not provide user authentication.

VPN Models

There are two ways to implement Layer 2 VPNs, which are referred to asthe NAS-initiated VPN, and the client-initiated VPN. In both models, theVPN client initiates a remote dial-up to the ISP’s POP. However, the majordifference lies in the extent of the tunnel.

Figure 9.14 L2TP packet format.

DataIP Header UDP TCP/UDPOriginal

PPP Header

PPP Payload

IP Header



NAS-Initiated VPNIn NAS-initiated VPN, a VPN client initiates a dial-up session with the ISP’sNAS. The NAS assigns the user an IP address independent of the user’s IPaddress for the local network. The NAS is responsible for tunneling thepacket through the Internet to the VPN server. Thus, the VPN connectionextends only between the NAS and the VPN server.

A NAS-initiated VPN is also called a compulsory VPN because the clientdoes not participate in its creation and is compelled to use it. Allencryption occurs between the NAS and the VPN server and the twofunctional entities form the end-points of the tunnel. A compulsory VPN iscreated without the user’s consent, meaning that the VPN is transparent tothe user. One of the advantages of the NAS-initiated VPN is that it cansupport multiple connections, which reduces the overhead associated withestablishing one VPN for each connection. However, the connectionbetween the client and the NAS occurs outside the tunnel, making the VPNvulnerable to attacks.

Figure 9.15 illustrates a NAS-initiated L2TP VPN. This model can also beconsidered an out-sourced VPN in which the ISP manages the remote accessneeds of a corporation. It is particularly useful in those environments wherethe information technology staff is not equipped to handle VPN management.

Client-Initiated VPNIn a client-initiated VPN, the VPN client is VPN-enabled (that, the VPNsoftware is already installed). The VPN client dials up the ISP’s local POPto establish a PPP session. Then, using the Internet connection, the client

Figure 9.15 NAS-initiated L2TP VPN model.

Internet

Corporate LNS

VPN Client

LACPSTN

PPP ConnectionL2TP Connection

PPP Connection

ISP

VPN TunnelNetwork

ISP


204 Chapter 9

establishes a VPN connection with the VPN server. In this model, thetunnel extends from the VPN client to the VPN server. The NAS is notinvolved in the tunnel establishment. A client-initiated VPN is also called avoluntary VPN because the user determines when and where to establishthe VPN. The user is responsible for the necessary encryption between theclient and the VPN server.

The VPN server may reside in either the ISP’s network or in the corporatenetwork. If the VPN server resides in the ISP’s network, the contents of thetunnel are delivered to the corporate network via the WAN that the corporaterouter uses to access the ISP’s POP. This WAN may be a frame relay networkor an ISDN network. If the VPN server resides in the corporate network, thetunnel extends from the client directly into the corporate network. Figure9.16 illustrates a client-initiated L2TP VPN with the VPN server in an ISPnetwork and in a corporate network. In the case where the VPN serverresides in the corporate network, the VPN is essentially managed in-house.

Comparison of the ModelsThe client-initiated model permits remote users with VPN-enabled clients todial into any ISP’s POP and establish a tunnel to the corporate network. TheISP’s POP is not required to be VPN-enabled; that is, the NAS functionalitydoes not need to be available at the POP. In the NAS-initiated model, the ISP’sPOP must have NAS functionality. Unlike the NAS-initiated model, the client-initiated model does not bind a corporation to any one ISP; it permits acorporation to change ISPs without changing its addressing scheme. Theclient-initiated model does not lend itself easily to hacker intrusion. The modeldoes not require a company to hand its authentication database over to theISP. Since a company controls both ends of the tunnel, it can impose anydesired requirement for user authentication to prevent unauthorized usersfrom gaining access to its resources. In the NAS-initiated model, a company isrequired to give its authentication database to the ISP. Thus, a hacker canpenetrate the ISP under a false identity.

NAS-initiated VPN permits VPN clients to support tunneling withoutsoftware or hardware upgrades. However, the model requires the ISP tomanage both the addressing and authentication processes. A corporationmay have to restructure its addressing scheme to match the ISP’s scheme.Also, the ISP must be constantly informed of changes in the network.

A Layer 3 VPN, such as IPSec, is more suited to the NAS-initiated modelbecause it is designed primarily to provide security between a router and afirewall. In general, the NAS functionality is implemented in a router and the



VPN server functionality is implemented in a firewall. IPSec is an integral partof IPv6. Thus, unless a VPN client is running IPv6, it may not be economicalfor a legacy end-station implementing VPN client functionality to be equippedto provide the IPSec protocol stack. It may be more economical for the ISP’sNAS to provide IPSec.

Firewalls and VPNs

Firewalls and VPNs go hand in hand. Many firewall products provide encryptedfirewall-to-firewall tunnels. In particular, it was stated that application gateways

Figure 9.16 Client-initiated L2TP VPN model.

InternetCorporate LNS

VPN

POPPSTN

PPP Connection

2nd Call: L2TP Connection

1st Call:

PPP Connection

ISP ISP

VPN Tunnel

VPN

(a) VPN server in ISP network

Server

(b) VPN server in corporate network

Network

Client

InternetCorporate

VPN

POPPSTN

PPP Connection

2nd Call: L2TP Connection

1st Call:

PPP Connection

ISP

VPN TunnelNetwork

Client


206 Chapter 9

provide IP address hiding by encapsulating one IP packet in another. This, byour definition, is the tunneling associated with VPNs.

Firewalls control access to corporate network resources and establish trustbetween the user and the network. Consider the network configuration inFigure 9.17. The firewall at each network controls access to resources in thenetwork. However, the data transmitted between the two sites is stillvulnerable to attack as it traverses the Internet.

On the other hand, VPNs are created to provide privacy between twosites; there is usually no trust between the two sites. A combination offirewalls and a VPN establishes trust and provides privacy between the twosites. This approach provides more security than using either firewalls atboth sites or a VPN between the two sites. Figure 9.18 shows a VPN tunnelbetween two firewalls.

In the past, firewall products provided only firewall security service.However, many new firewall products now support VPN functionality. Asstated earlier, both firewall functionality and VPN functionality are neededto establish effective security control.

Summary

This chapter has presented the basic principles of firewalls and virtualprivate networks. A firewall provides access control to a protectednetwork, protecting a company’s private network from an untrusted publicnetwork. Every access request from a public network to the protected (that

Figure 9.17 Firewalls providing authorized access to two networks.


Firewall

Corporate Premises

Firewall

Branch Office

BranchNetwork



is, corporate) network must pass through the firewall. Different types offirewalls and firewall architectures have also been discussed.

A virtual private network (VPN) provides secure connections using a publicnon-secure network, such as the Internet. VPNs reduce remote access costs byusing public network resources that can be shared by many users. VPNtechnology has enabled companies to build intranets to link branch offices tothe corporate network. Furthermore, the technology enables companies todeploy extranets that securely link corporate networks to those of theirstrategic partners, suppliers, and special customers.

VPNs are used in conjunction with firewalls to provide morecomprehensive security protection for an organization. Firewalls controlaccess to corporate network resources, establishing trust between the userand the network. However, the data transmitted between the user and thecorporate network is still vulnerable to attack as it traverses the Internet.VPNs are created to provide privacy between two sites. Thus, combiningthe two technologies provides more effective access control and increasesprivacy.

Further Reading

More detailed information on the topics discussed in this chapter can be foundin the following references: [ATGVPN], [CHAP95], [CHECK1], [CHECK2],[CISCO5], [CISCO6], [COMPT], [IBMVPN], [IETL2T], [IETPPT], [KOS98A],[MICRO1], [MICRO2], [MICRO3], [RF1701], [RF2341], [SHIVA1], and [TIMEST].

Figure 9.18 VPN tunnel between two firewalls.

InternetCorporate Network

Firewall

Corporate Premises

Firewall

Branch Office

BranchNetwork VPN Tunnel



Documents

Firewalls and Virtual Private Networks - wiley.com · PDF fileFirewalls and Virtual Private Networks 187 Types of Firewalls Firewalls can be classified into three basic categories: